Opinion: The FCA and ICO publish joint update on GDPR
By James Delves, Head of PR and Public Affairs
Last week two significant things happened.
On Friday, the Financial Conduct Authority (FCA) and the Information Commissioners Office (ICO) published an update on the EU General Data Protection Regulation (GDPR).
Secondly, the UK Government met to discuss the progress of the Data Protection Bill through the house and when UK consumers and businesses alike can expect it to come into law.
The bills progress through government
Let’s take the latter first. The Data Protection Bill, which was first announced during the Queen’s Speech in June last year, is designed to implement the government's manifesto commitments to modernising the data protection laws in the UK. It also applies aspects of the EU’s GDPR standards, preparing Britain for Brexit.
Culture Secretary, Karen Bradley summed up what the bill will mean to marketers, businesses and consumers alike when she stated: "The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit. In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”
Asked last week when the Bill will be introduced to the House of Commons, Andrea Leadsom MP, Leader of the House stated: “The Data Protection Bill will be introduced to the House as soon as possible—as soon as parliamentary time allows.” In reality, CIM expects the Bill will be introduced after the February government recess, which runs from the 8th to the 20th February. As soon as we hear more we will update our members through our newsroom.
Less than 100 days and counting
So, we know the the Data Protection Bill is on track and, baring any delay due to the Government’s Brexit negations, will be in power sooner rather than later. What about GDPR - it’s under 100 days now till the legislation comes into power? What are the latest updates and what role will the FCA play?
On Friday, the Financial Conduct Authority (FCA) and the Information Commissioners Office (ICO) published an update on the General Data Protection Regulation, or as we know it, GDPR.
The update addressed a number of issues such as new FCA's rulings, which require financial services firms to process personal data and the possible affect that has with complying with GDPR. The joint statement mentions:
“We believe the GDPR does not impose requirements which are incompatible with the rules in the FCA Handbook. Indeed, there are a number of requirements that are common to the GDPR and the financial regulatory regime detailed in the Handbook. The requirement to treat customers fairly is also central to both data protection law and the current financial services regulatory framework. When the FCA makes rules, we take into account how our requirements will affect the privacy interests of individuals such as firms’ customers and employees, and are open and transparent on why we have made rules in the way that we have.”
The FCA, ICO and CIM all agree that GDPR compliance is a board level responsibility. Organisations must embrace the new law and regulatory framework and be able to produce evidence to demonstrate that they have taken steps to treat customers fairly. However, both the FCA and ICO also pointed out that they recognise there will be ongoing discussions to ensure how GDPR can be implemented consistently within the wider regulatory landscape.
Providing marketers with a voice
Both organisations recently hosted a GDPR roundtable, which provided industry bodies and organisations with a voice to explain concerns. The result was that the FCA and ICO have agreed to collaborate in the coming weeks and months to address the issues raised at the roundtable, in preparation for the introduction of the GDPR in May. Again, as we receive definitive answers or advice we will share them with our members.
Policing UK organisations
Also detailed in the update was how the ICO and FCA plan to share the role of monitoring and policing GDPR the latest framework updates. The ICO will regulate the GDPR. The FCA also considers GDPR under the organisation’s rule. An example of this would be the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module - as part of their obligations under SYSC, UK organisations should establish, maintain and improve appropriate technology and cyber resilience systems and controls.
Why GDPR is a business advantage
Stanley Kubrick wrote the screenplay for Dr. Strangelove or How I Learned to Stop Worrying and Love the Bomb in the 60s to address widespread fear of a nuclear threat on the horizon. GDPR should certainly not be seen in the same category for marketers. Yes, it needs to be taken seriously, but it also brings many positives.
The regulation will come into power from 25 May 2018 and will automatically apply to businesses operating in the UK. GDPR is designed to be Brexit-proof, ensuring whatever the results of the current negotiations with the EU, UK marketers need to stand up and take notice. We at CIM feel that handling consumer data correctly is a business-critical issue. Done poorly, and from May it could result in big fines – potentially up to €20 million or 4% of a business’ global annual turnover (whichever is the greater).
But if data is handled correctly, it can provide a real business advantage, allowing marketers to reach the right audience, in the right way, at the right time – and after all, understanding customers and meet their needs is fundamental to everything we do as marketers.
How can CIM can help?
- CIM offers GDPR courses (both online and in person) at all career levels including: foundation, practitioner and at board level: https://www.cim.co.uk/training-courses/gdpr-for-the-marketer-0951.html
- For more information on GDPR and the courses CIM offers please visit: https://www.cim.co.uk/more/gdpr/
For all press enquiries, please contact the media team:
An overview of CIM our history and services.
To receive sector specific news: